Friday, January 27, 2006

Advanced Web Attack Techniques using GMail

A few months ago, I discovered a vulnerability in GMail where it became trivial to compromise someone's email contact list. I demonstrated the issue to a friend at Google by emailing his GMail account with simple link. Upon clicking the link and viewing the page, no XSS required, your contacts were displayed on screen (see screenshot). From there the email addresses could be easily stolen. Imagine if a spammer stumbled across this!

The issue was fixed within a few days, but the reason this particular vulnerability was interesting is the exploit techniques are a bit different than normally discussed. Also, I've been seeing the scenario described below increasingly often in websites. Those interested in browser security and AJAX development should take note.

Attack DetailsAssumes some knowledge of Cross-Site Request Forgeries, but with a slight variation.

1) Email a GMail account a link and click.example: http://foo/index.html

2) HTML of http://foo/index.htmlThe single line of HTML below forces the web browser to automatically send an off-domain HTTP request to GMail. If the victim is logged-in(obviously the case when you email a GMail account), the session cookies will be sent along with the request, and the response contains the contact list. The URL was predictable across all users.

Page URL: http://foo/index.html

3) Sample content of http://mail.google.com/mail/?_url_scrubbed

The JavaScript line below contains an unreferenced array constant with your contact list of email addresses.

GMail normally sends an XmlHttpRequest (XHR) to get this data on the fly where its then eval'ed in the browser and assigned to a variable. However in our case, the constant is loaded into JavaScript space on (http://foo/index.html) using a script tag, so its never assigned to a variable. This means accessing the data requires something more.

4) Accessing the contact list

When JavaScript parses and interprets the unreferenced array the Array constructor is called. Its possible to overwrite the internal Array constructor with our own to access the contact list. The new Array constructor uses a setters to trigger events, then parses out the data we want, and prints the data to screen.

indeed. Reminds me a bit of BSE warners back in 1984, when no one would ever have thought that this disease would ever spread. But it's no breaking news isn't it? Try to close the door after the horse has left the barn...good luck.

> Make sure the file cannot be accessed by anything with an off-domain referer.

This is nice in theory, but it doesn't account for the null referrer case (which you really can't disable). If the attacker's goal is to harvest a lot of data, those who use proxies or have referrers disabled may be enough.

Blocking non-null off-site referrers is a nice thing to do, but is not a catchall solution.

jimbojw> Good point. My comment was before I learned more about forced browser referer spoofing. Amit Klein has found issues in both IE and Flash that allows a bad guy to alter a referer while performing a CSRF'ed request.

Yesterday, my gmail account has been attacked. they changed the password since I can't access the account. also when i try to reset the password, i never get the email to do so into my secondary email account. any thoughts on how to proceed. I emailed google the problem but i don't think they understand. is there a way you can tell your google friend . thanks

A new twist. My gmail account was open and a spam email was sent to all my contacts with the text below with a bunch of links to electronic junk for sale. All of my contacts were then deleted. Someone is getting through GMail security.

------------------------------------

Dear friend,I would like to introduce a good company who trades mainly in electornic products.Now the company is under sales promotion,all the products are sold nearly at its cost.They provide the best service to customers,they provide you with original products of good quality,and what is more,the price is a surprising happiness to you!It is realy a good chance for shopping.just grasp the opportunity,Now or never!The web address: www.lrq0710.com

Hello,I'm German national and a gmail user... - without technical knowledge

I urgently need help with a similiar problem. CONTACT DATA IS ACCESSED in my gmail account.

I always clear my folder "temporary internet files". By chance I realised 2 days ago that there was a cookie of which the mail id of an acquaintance was part of. This was an email id which I myself haven't used for 3 years.

It was clear for me that my account is spyed out. I observed the cookies after each log-in and it happened with 5 other addresses now: all of them were part of a cookie. None of the addresses (part of a contact list with 300 mail ids) I myself have used since years!

There is also an authentication cookie which looks like a program file and which was never there before during all the years I used gmail.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!